Twice initialization openssl

[unreturned]

I did this

Full steps to reproduce problem:

1. Build GOST engine for openssl 1.1.1

$ mkdir /tmp/testgostengine/
$ git clone -b openssl_1_1_1 --single-branch https://github.com/gost-engine/engine /tmp/testgostengine/
$ mkdir /tmp/testgostengine/build/; cd /tmp/testgostengine/build/
$ cmake --configure .
$ cmake --build . --config Release

2. Write minimal config

$ cat /tmp/testgostengine/example.conf | sed 's|dynamic_path = ./bin/gost.so|dynamic_path = /tmp/testgostengine/bin/gost.so|g' > /tmp/testgostengine/openssl.conf

3. Use it to connect to test host

$ OPENSSL_CONF=/tmp/testgostengine/openssl.conf curl --insecure --head https://tlsgost-2001.cryptopro.ru/

Output of command

$ OPENSSL_CONF=/tmp/testgostengine/openssl.conf curl --insecure 'https://tlsgost-2001.cryptopro.ru/'
GOST engine already loaded
<!DOCTYPE html>
<html>
<head>
<title>Welcome to Crypto-Pro tls server!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to Crypto-Pro tls server!</h1>
<p> TLS connection with id-GostR3410-2001-CryptoPro-XchA-ParamSet no auth requred.</p>


</body>
</html>

And in this output we have some problem like GOST engine already loaded. Is it problem with twice initialization openssl in curl? For example, if I don't use curl and do fetch by only php and openssl like this, I haven't this error:

Test php script:

$ cat << 'EOF' > /tmp/testgostengine/test.php
<?php

$mySSLContext = array(
    "ssl" => array(
        "verify_peer" => false,
        "verify_peer_name" => false,
    ),
);

print_r(file_get_contents("https://tlsgost-2001.cryptopro.ru/", false, stream_context_create($mySSLContext)));
EOF

Output:

$ OPENSSL_CONF=/tmp/testgostengine/openssl.conf php /tmp/testgostengine/test.php
<!DOCTYPE html>
<html>
<head>
<title>Welcome to Crypto-Pro tls server!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to Crypto-Pro tls server!</h1>
<p> TLS connection with id-GostR3410-2001-CryptoPro-XchA-ParamSet no auth requred.</p>


</body>
</html>

No error GOST engine already loaded.

I expected the following

$ OPENSSL_CONF=/tmp/testgostengine/openssl.conf curl --insecure 'https://tlsgost-2001.cryptopro.ru/'
<!DOCTYPE html>
<html>
<head>
<title>Welcome to Crypto-Pro tls server!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to Crypto-Pro tls server!</h1>
<p> TLS connection with id-GostR3410-2001-CryptoPro-XchA-ParamSet no auth requred.</p>


</body>
</html>

curl/libcurl version

$ curl -V
curl 7.73.0 (x86_64-pc-linux-gnu) libcurl/7.73.0 OpenSSL/1.1.1h zlib/1.2.11 zstd/1.4.5 libidn2/2.3.0 libpsl/0.21.1 (+libidn2/2.3.0) libssh2/1.9.0 nghttp2/1.41.0
Release-Date: 2020-10-14
Protocols: dict file ftp ftps gopher http https imap imaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets zstd

operating system

Archlinux

uname -a
Linux myzion 5.9.10-arch1-1 #1 SMP PREEMPT Sun, 22 Nov 2020 14:16:59 +0000 x86_64 GNU/Linux

[bagder]

So from where in libcurl is the openssl engine initialized, both times? Can you check?

[unreturned]

Hello!

I'm sorry, but my expertise in this question very poor. And probably I did not correctly name the problem.

But I found some, that can be possible usefull.

I try to look at

curl/lib/vtls/openssl.c

Line 1134 in c7b02c5

#ifndef CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG

and build curl with --disable-openssl-auto-load-config and it solves problem for me:

OPENSSL_CONF=/tmp/testgostengine/openssl.conf /tmp/curl/src/curl --insecure 'https://tlsgost-2001.cryptopro.ru/'
<!DOCTYPE html>
<html>
<head>
<title>Welcome to Crypto-Pro tls server!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to Crypto-Pro tls server!</h1>
<p> TLS connection with id-GostR3410-2001-CryptoPro-XchA-ParamSet no auth requred.</p>


</body>
</html>

And with this option curl reads file once:

$ OPENSSL_CONF=/tmp/testgostengine/openssl.conf strace /tmp/curl/src/curl --insecure 'https://tlsgost-2001.cryptopro.ru/' 2>&1 | grep openssl.conf
openat(AT_FDCWD, "/tmp/testgostengine/openssl.conf", O_RDONLY) = 6
read(6, "openssl_conf = openssl_def\n[open"..., 4096) = 262

$ strace /tmp/curl/src/curl --head 'https://google.com/' 2>&1 | grep openssl
openat(AT_FDCWD, "/etc/ssl/openssl.cnf", O_RDONLY) = 6

By default ./configure, without option --disable-openssl-auto-load-config curl reads conf file twice:

$ OPENSSL_CONF=/tmp/testgostengine/openssl.conf strace curl --insecure 'https://tlsgost-2001.cryptopro.ru/' 2>&1 | grep openssl.conf
openat(AT_FDCWD, "/tmp/testgostengine/openssl.conf", O_RDONLY) = 3
read(3, "openssl_conf = openssl_def\n[open"..., 4096) = 262
openat(AT_FDCWD, "/tmp/testgostengine/openssl.conf", O_RDONLY) = 6
read(6, "openssl_conf = openssl_def\n[open"..., 4096) = 262

$ strace curl --head 'https://google.com/' 2>&1 | grep openssl
openat(AT_FDCWD, "/etc/ssl/openssl.cnf", O_RDONLY) = 3
openat(AT_FDCWD, "/etc/ssl/openssl.cnf", O_RDONLY) = 6

Hope, this helps.